Law 1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."...Law 1 isn't really about shortcomings or vulnerabilities in software. It is really about vulnerabilities in people!" "...It is extremely important to understand what the term "security boundary" means" "...Even if you do not have administrative privileges, it may not matter. You, as a standard user, still have access to lots of juicy information" "...if you define "your computer" as "the data you manage on your computer," you can ignore any discussions about privilege and simply conclude that Law 1 holds." "...user education is critical in addition to ensuring that users do not have permission to perform administrative tasks"

Law 2: If a bad guy can alter the OS on your computer, it's not your computer anymore."...it is not the act of doing something that means your computer is compromised. The thing that matters only is that someone has the ability to do something." "...If a computer is wide open to the Internet and goes unpatched for months, is it still trustworthy? No. That computer must be considered compromised."

Law 3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."...All things considered, Law 3 does still apply. It is true that certain technologies available today go a long way towards stopping many attackers with physical access and thus minimize the number of attackers able to access data on a computer that employs a safety measure. That said, the capabilities of the attacker always define how much the attacker can actually achieve, and new technologies address many of the 10 immutable laws—to an extent. But physical access still offers ways, though more complex, into a system."